Data Security & Privacy Policies

v19.7.1

Last Updated 1 July 2019.

 

General Definitions

The following definitions apply to both the Data Security and Privacy Policies below.

Administrator means the person within the user organisation that is responsible for the running any of the solutions delivered by OfficeTorque.
Company means OfficeTorque Limited, (OfficeTorque), a private limited liability company registered in New Zealand.
Customer means You and includes Your employees, consultants, representatives and agents
Data means any data and information entered by You or transferred to the Service via the synchronising software.
GDPR (General Data Protection Regulation) means the new European Data Security Standards effective May 2018. (Find out more here).
Intellectual Property means any patent, trade mark, service mark, copyright, moral right, right in a design, know-how and any other intellectual or industrial property rights, anywhere in the world whether or not registered.
Invited Users means users of the Service that You authorise to have access to the Service.
Monthly Fees / Usage Fees means the monthly fees (excluding any taxes and duties) payable by You in accordance with the pricing schedule posted on the Company Websites.
Organisation / Customer means the entity that contracts to use the Service from OfficeTorque.
Service / Software means OfficeTorque FRM or any other software services provided by OfficeTorque Limited, and the functions and deliverables provided to You via the Websites by way of a service subscription or software license. The terms Service and Software mean the same.
Websites means the internet website at the domain www.officetorque.com or any other site operated by the OfficeTorque Limited.
User / You / Your means You and includes Your employees, consultants, representatives and agents.

 

1. Data Security

Overview

At OfficeTorque, we are committed to providing best practice systems and procedures to maximise the security of our Customers’ data.

Our multi-layer approach to security includes the use of the following:
• SSL TLS (v1.2) secured connection between Your System and our Database Servers
• SSL TLS (v1.2) secured login for Web Based Management System
• Login to Web Based Management System is secured using CAPTCHA (proof of human being)
• Auto lockout after 5 failed login attempts (1 hour)
• Use of usernames and passwords. All passwords are stored encrypted
• PCI DSS Payment Gateway compliance (Level 1)
• Enterprise-grade hosting facilities located in Your region
• Information Security Management System based on the ISO27001-2013 framework
• Activity and security monitoring
• Continual monitoring and upgrades against vulnerabilities
• Backups and disaster recovery readiness
• Administrator management role for managing Your internal users and access levels

Roles and Responsibilities
Data security is a shared responsibility and whilst OfficeTorque and its partners will continue to deliver the latest in protection mechanisms for the data you trust to us, there are elements of the total solution that require Your attention as well. These include:

• Internal security for Your Source Customer information (ERP, Accounting Software, CRM)
• Internal Web browser and email security (e.g.: malware and phishing emails)
• End Customer access authorisation to the Services
• User access authorisation (Adding / removing users and determining their access level)
• Managing login password security
• Internal PCI DSS procedures for managing payment authorisations
• Where applicable, compliance with the European GDPR regulations regarding personal data relating to EU and UK entities (Find out more here)

 

System Access
Access to Your OfficeTorque system is controlled by Your system Administrators. All users of the system, except OfficeTorque staff, must be created or removed by Your Administrator (except by written exception).

Your internal Administrator of Your account has the flexibility to invite an unlimited number of internal users into Your system. They have control over who has access and what they are able to do.

You also have control over which of Your end customers can access the services.

Access for both internal and external users is by way of secure login and password.

OfficeTorque staff have access to Your system for the purposes of implementation and providing support. This access is regularly reviewed and individuals removed when no longer required.

Data encryption
We encrypt all data that goes between You and Your OfficeTorque system using industry-standard TLS (Transport Layer Security), protecting Your client and transactional data. All system passwords are also encrypted at rest when it is stored on our servers, and encrypted when we transfer it for backup.

Network protection
OfficeTorque uses multi-layers of security controls to protect access to and within our environment, including firewalls, intrusion protection systems and network segregation. Our security services are configured, monitored and maintained according to industry best practice.

Security Monitoring and Penetration Testing
OfficeTorque continuously monitors security systems, event logs, notifications and alerts from all systems to identify and manage threats. Our Vulnerability Scanner and Penetration Testing software continually checks for over 10,000 weaknesses and vulnerabilities at both software and hardware levels. Regular system upgrades are carried out to protect against any potential vulnerabilities. Our Database Servers operate a strict least privilege access control model to ensure data confidentiality. Collected data is loaded onto secure storage and protected by strict authorisation access controls. Access is only granted to staff involved in Your implementation, ongoing support and database server administrators. Individual access is regularly reviewed and removed when no longer required.

Access to data on Your servers. (Integration by OfficeTorque only, not required if client provides the data)

OfficeTorque requires read only access to Your data in order to transfer it to the cloud. OfficeTorque uses best practices to ensure that access to Your system is limited to only implementation staff trained in the use of our connector technology. Access is typically limited to 1 person though from time to time this may be extended to include additional senior technical support. Once the sync process has been setup OfficeTorque access can be removed so that only the ongoing sync configured by OfficeTorque has access.
A copy of all data sent by the sync process is kept on the client servers for the purposes of auditing and disposed of as required.

Data Centre and Hosting Services
OfficeTorque FRM will host Your instance of the software on Australian or UK based enterprise-grade data centres depending on Your location. Data is not moved between data centre locations, and You will be advised exactly where Your data is stored.

OfficeTorque uses enterprise quality commercial data centre facilities that feature:
• 99.99% uptime
• redundant power and cooling systems
• fully diverse fibre and internet connectivity
• 24 x 7 manned highly secure facility with biometric, proximity card entry & motion tracking CCTV monitoring
• enterprise grade firewalls
• secure backup service
If required, OfficeTorque can, on an exception basis, provide alternate hosting options for FRM 5 Series as follows:
• Virtualised onto the Customer’s Data Centre
• Virtualised onto the Customer’s own internal servers

 

2. Privacy Policy

OfficeTorque is committed to protecting information and respecting Your privacy.
This policy, together with our terms and conditions, sets out the basis on which any personal data we collect from You, and any data that You upload or authorise to be uploaded to the Service will be processed by us. In the event of a conflict or disagreement between this Privacy Policy and the terms of use, the Terms and Conditions will prevail.

Ownership of Data
OfficeTorque will only store data that is entered by You, or automatically imported at Your instruction. The data entered, or imported on instruction, by You remains Your property and OfficeTorque will not use nor make available for use any of this information without Your permission.
It is Your responsibility to keep the Service access passwords safe. It is the Administrator’s responsibility to ensure that any users that are invited to use the Service (Invited Users) have permission to view Your information stored in the Service. Neither our staff nor our third party service partners have access to any user passwords.
Third parties may only view the areas of the Service and information that You wish them to have access to.
OfficeTorque will give You access to Your data at any time.

Your data will be permanently deleted by us after You terminate or stop paying to use the Service, or at the Administrator’s request in writing or by email to customersupport@officetorque.com.
Provided that You have met Your obligations under the Supply Agreement, a full copy of all Your data will be provided to You prior to deletion from our servers.

Collection and use of Personal and Organisational Information
If You decide to register with and use software provided by OfficeTorque (the “Service”) You will be asked to provide certain information about Yourself and/or Your organisation including Your name and contact details. No sensitive personal data will be gathered or stored. By submitting Your personal and/or organisational information, You consent to the collection, use and transfer of Your information in accordance with the terms of this privacy policy.
We will only use Your personal and/or organisational information for the following purposes:
1. to carry out a credit check
2. to verify Your identity
3. to enable us to provide You with access to the Website and to use the Service and to enable You to download information and materials from the Website; the registration form, to contact You with our newsletter and other email updates;
4. to make You aware of any system or operational changes that may affect the Service;
5. to produce summary reports, statistics and analysis of the types of people who access the Website;
6. to contact You for Your views on the Website and our Service and to notify You occasionally about important changes or developments to the Website and the Service; and to administer, support, improve and develop Our Website and our Service.
We reserve the right to use the name and/or logo of the company You work for in publicity and testimonial material, advertising or marketing collateral, unless You specifically tell us otherwise. Your name, address details and all other personal information will remain confidential at all times.
At no time will we access or use information held in the system pertaining to Your customers, unless instructed and authorised by You in writing. Eg: To carry out a customer survey on Your request.

Disclosure of Your Personal and Organisational Information
We follow strict guidelines in the storage and disclosure of information, which You have given us, to prevent unauthorised access. We comply with the laws of the countries in which we operate.
We do not disclose Your personal data to any third party except to the extent that we may disclose Your personal data to third parties (whether in NZ or elsewhere) for the purposes of providing Services from us.
We may also disclose Your personal information to third parties:
1. In the event that we sell or buy any business or assets, in which case we may disclose Your personal data to the prospective seller or buyer of such business or assets.
2. If OfficeTorque Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
3. If we are under a duty to disclose or share Your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of OfficeTorque Limited, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Please note that this may include the transfer of Your personal data to one or more countries outside NZ.
At no time will we disclose information held in the system pertaining to Your customers.

Your Obligations
You represent, warrant and undertake that when using the Service You will at all times comply with all applicable local and national laws including but not limited to those relating to privacy and the processing of personal data and other information, including the requirements detailed in the GDPR. (Find out more here)

You agree to promptly comply with any request from us requiring You to amend, transfer and/or delete any information recorded by You on our Service.
You agree to indemnify us and keep us indemnified and defend us at Your own expense against all costs, claims, damages or expenses incurred by us or for which the we may become liable due to any failure by You (or Your employees or agents where applicable) to comply with Your obligations under this Privacy Policy.

GDPR (General Data Protection Regulations)
OfficeTorque has modified its data privacy policies and procedures to ensure compliance with the new GDPR regulations which came into effect in May 2018. (Find out more here).

Payment Management
OfficeTorque has developed a comprehensive, secure and highly available payments management capability. This capability allows the Solution on offer to connect to banks for the processing of credit card and bank account payments.

The Solution has been developed to worlds best security/data protection standards inclusive of the rigorous PCI DSS standards. Credit Card details are encrypted (tokenised) to protect both You and Your clients from potential fraudulent activity.

OfficeTorque processes credit card and bank account payments to its bank via a bank approved third party processor that is L1 Level PCI DSS compliant, the highest level of compliance.

System Monitoring
OfficeTorque has access to and may use non-identifying aggregate information such as number of associated users, number of transactions and billing information for the purpose of billing and monitoring server and software performance as well as for other internal purposes.
OfficeTorque may publish non-identifying aggregate information such as the number of users, and user activity indicators.
Third Party Suppliers and Links to Our Website may contain links to third-party websites. We take no responsibility for the privacy practices or content of these websites. You are responsible for checking the privacy policy of any third-party websites we link to.

Privacy complaints process
If You wish to complain about how we have handled Your personal information, please provide full details of Your complaint and any supporting documentation by e-mail to cutomersupport@officetorque.com.

Changes to these policies
This policy may be updated from time to time.
We reserve the right to change this policy at any time and any amended policy will be posted on our Website at www.officetorque.com/privacy

Questions regarding this privacy policy are welcomed and should be forwarded by email to customersupport@officetorque.com